Install OpenLDAP

This part is easy:

pacman -S openldap

The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services reauiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.

Configure OpenLDAP

The server (slapd)

You can start the server like any other daemon, by executing

/etc/rc.d/slapd start

There are two config files you may have to edit, though:

/etc/openldap/slapd.conf

You can define the access rules here, the root "user" etc.

If you want to use SSL, you have to specify a path to your certificates here.

/etc/conf.d/slapd

Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap://
You can also specify additional slapd options here.

The client

The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, don't waste your time with the app, start debugging the client instead.

The client config file is located at /etc/openldap/ldap.conf
It is actually very simple.

If you decide to use SSL:

The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration

If you decide to use self-signed certificates, you have to add them to TLS_CACERT

Test your new OpenLDAP installation

This is easy, just run the command below:

ldapsearch -x -D <root dn from slapd.conf> -W

You should get at least some output, containing the line

result: 0 Success // Could anyone actually confirm this? I don't have a clean LDAP directory to test this with it...

Just for the basic insight, the -x option means "use simple authentication", you specify the dn you want to bind to with the -D switch and -W means "prompt for password"

Design LDAP Directory

This all depends on what organization your network/computer is modeling.

Troubleshooting

After migrating to LDAP or updating an LDAP-backed system udevd can hang at boot at the message "Starting UDev Daemon". This is usually caused by udevd trying to look up a name from LDAP but failing, because the network is not up yet. The solution is to ensure that all system group names are present locally.

Extract the group names referenced in udev rules and the group names actually present on the system: